AZ-104 Implement and Manage Virtual Networking Practice Question
This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Storage account: reportsa
Public network access: Enabled
Selected networks: none
VM subnet: app-subnet
Requirement notes:
- Keep the storage account on its public endpoint.
- Permit only workloads in app-subnet to reach the account.
- Do not assign static public IP addresses to the VMs.
Based on the exhibit, which network feature should you use so only the subnet can reach the storage account while still using the public endpoint?
Storage account: reportsa
Public network access: Enabled
Selected networks: none
VM subnet: app-subnet
Requirement notes:
- Keep the storage account on its public endpoint.
- Permit only workloads in app-subnet to reach the account.
- Do not assign static public IP addresses to the VMs.
A
Create a private endpoint and disable the storage account public endpoint.
Why wrong: A private endpoint changes the design to private IP connectivity and is not what the exhibit asks for. The requirement explicitly says to keep the public endpoint.
B
Enable a service endpoint on app-subnet and allow that subnet on the storage firewall.
A service endpoint is the correct choice when you want the storage account to remain on its public endpoint but only allow traffic from a specific subnet. It extends the subnet identity to the service without requiring static public IP addresses on the VMs.
C
Add a NAT gateway to app-subnet and use the NAT public IP for firewall rules.
Why wrong: A NAT gateway provides outbound internet connectivity through a static public IP, but it does not provide subnet-based authorization to the storage account in the same way as a service endpoint.
D
Peer app-subnet with a new VNet and access the storage account through peering.
Why wrong: VNet peering connects virtual networks to each other, but it does not by itself grant storage service access or replace the storage firewall requirement in the exhibit.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Enable a service endpoint on app-subnet and allow that subnet on the storage firewall.
Option B is correct because enabling a service endpoint on the app-subnet allows traffic from that subnet to reach the storage account over the Azure backbone network while still using the public endpoint. By then adding the subnet to the storage account firewall, you restrict access to only that subnet, ensuring no other internet traffic can reach the storage account. This approach leverages the public endpoint but with subnet-level access control, meeting the requirement.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Create a private endpoint and disable the storage account public endpoint.
Why it's wrong here
A private endpoint changes the design to private IP connectivity and is not what the exhibit asks for. The requirement explicitly says to keep the public endpoint.
✓
Enable a service endpoint on app-subnet and allow that subnet on the storage firewall.
Why this is correct
A service endpoint is the correct choice when you want the storage account to remain on its public endpoint but only allow traffic from a specific subnet. It extends the subnet identity to the service without requiring static public IP addresses on the VMs.
Related concept
Read the scenario before looking for a memorised answer.
✗
Add a NAT gateway to app-subnet and use the NAT public IP for firewall rules.
Why it's wrong here
A NATgateway provides outbound internet connectivity through a static public IP, but it does not provide subnet-based authorization to the storage account in the same way as a service endpoint.
✗
Peer app-subnet with a new VNet and access the storage account through peering.
Why it's wrong here
VNet peering connects virtual networks to each other, but it does not by itself grant storage service access or replace the storage firewall requirement in the exhibit.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse service endpoints with private endpoints, thinking that only private endpoints can provide secure access, but service endpoints allow subnet-specific access while keeping the public endpoint enabled.
Detailed technical explanation
How to think about this question
Service endpoints extend the VNet identity to the Azure service, allowing the storage account firewall to recognize traffic from the subnet by its virtual network ID rather than a public IP. This works by adding the subnet's prefix to the storage account's firewall rules, and traffic is routed directly over the Azure backbone without going through the internet. In real-world scenarios, this is commonly used for secure access to PaaS services like Azure Storage or SQL Database from specific subnets without needing a private endpoint.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this AZ-104 question in full detail.
Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Enable a service endpoint on app-subnet and allow that subnet on the storage firewall. — Option B is correct because enabling a service endpoint on the app-subnet allows traffic from that subnet to reach the storage account over the Azure backbone network while still using the public endpoint. By then adding the subnet to the storage account firewall, you restrict access to only that subnet, ensuring no other internet traffic can reach the storage account. This approach leverages the public endpoint but with subnet-level access control, meeting the requirement.
What should I do if I get this AZ-104 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.